scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 09:42:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4af9178d7e554f42e4724fdfc5761b92fae15837
vault/enos/modules/vault_agent/scripts/set-up-approle-and-agent.sh
Ryan Cragun 4af9178d7e enos: fix licensing on backported files (#24163) 
Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-11-16 12:59:51 -07:00

96 lines
2.2 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
set -e
binpath=${VAULT_INSTALL_DIR}/vault
fail() {
echo "$1" 1>&2
return 1
}
test -x "$binpath" || fail "unable to locate vault binary at $binpath"
export VAULT_ADDR='http://127.0.0.1:8200'
[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
# If approle was already enabled, disable it as we're about to re-enable it (the || true is so we don't fail if it doesn't already exist)
$binpath auth disable approle || true
$binpath auth enable approle
$binpath write auth/approle/role/agent-role secret_id_ttl=700h token_num_uses=1000 token_ttl=600h token_max_ttl=700h secret_id_num_uses=1000
ROLEID=$($binpath read --format=json auth/approle/role/agent-role/role-id | jq -r '.data.role_id')
if [[ "$ROLEID" == '' ]]; then
fail "expected ROLEID to be nonempty, but it is empty"
fi
SECRETID=$($binpath write -f --format=json auth/approle/role/agent-role/secret-id | jq -r '.data.secret_id')
if [[ "$SECRETID" == '' ]]; then
fail "expected SECRETID to be nonempty, but it is empty"
fi
echo "$ROLEID" > /tmp/role-id
echo "$SECRETID" > /tmp/secret-id
cat > /tmp/vault-agent.hcl <<- EOM
pid_file = "/tmp/pidfile"
vault {
address = "http://127.0.0.1:8200"
tls_skip_verify = true
retry {
num_retries = 10
}
}
cache {
enforce_consistency = "always"
use_auto_auth_token = true
}
listener "tcp" {
address = "127.0.0.1:8100"
tls_disable = true
}
template {
destination = "${VAULT_AGENT_TEMPLATE_DESTINATION}"
contents = "${VAULT_AGENT_TEMPLATE_CONTENTS}"
exec {
command = "pkill -F /tmp/pidfile"
}
}
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "/tmp/role-id"
secret_id_file_path = "/tmp/secret-id"
}
}
sink {
type = "file"
config = {
path = "/tmp/token"
}
}
}
EOM
# If Agent is still running from a previous run, kill it
pkill -F /tmp/pidfile || true
# If the template file already exists, remove it
rm "${VAULT_AGENT_TEMPLATE_DESTINATION}" || true
# Run agent (it will kill itself when it finishes rendering the template)
$binpath agent -config=/tmp/vault-agent.hcl > /tmp/agent-logs.txt 2>&1
Reference in New Issue View Git Blame Copy Permalink